Answered by:

Question

I created an user in Windows 2008 server. In the security tab, i deny all Extended rights for SELF and EVERYONE. Even it includes "Change Password", "User Cannot change password" in Accounts tab is not checked. But i am unable to change password
with that user.

When i check it manually and uncheck it, there is no change. It is being denied no matter i check or un-check the value of "User cannot change password" in account tab.

Answers

In ADUC when you check "User cannot change password", two ACE's (Access Control Entries) are added to the DACL (Discretionay Access Control List) for the user that deny permission to change the password. One ACE denies permission for the user, the other
denies permission for the group Everyone. When you uncheck this, the two deny ACE's are removed.

When you deny all extended rights, this also denies permission to change the password. Either way, the user cannot change their own password. I can confirm that when you deny all extended rights, the check box for "User cannot change password" is not checked.
This is just how ADUC works. I think it is because a different GUID is used in the ACE's. See this article for some details:

The GUID for "User cannot change password" is "{AB721A53-1E2F-11D0-9819-00AA0040529B}", and ADUC must look for this on the Account tab for the check box. The GUID (or GUID's) for "deny all extended rights" would be different.

All replies

In ADUC when you check "User cannot change password", two ACE's (Access Control Entries) are added to the DACL (Discretionay Access Control List) for the user that deny permission to change the password. One ACE denies permission for the user, the other
denies permission for the group Everyone. When you uncheck this, the two deny ACE's are removed.

When you deny all extended rights, this also denies permission to change the password. Either way, the user cannot change their own password. I can confirm that when you deny all extended rights, the check box for "User cannot change password" is not checked.
This is just how ADUC works. I think it is because a different GUID is used in the ACE's. See this article for some details:

The GUID for "User cannot change password" is "{AB721A53-1E2F-11D0-9819-00AA0040529B}", and ADUC must look for this on the Account tab for the check box. The GUID (or GUID's) for "deny all extended rights" would be different.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.